Researchers Scrutinize Data-Wiping Trojan, Korea Attacks

Security researchers conducting analysis on a wave of network-crippling attacks on banks and broadcaster networks in South Korea Wednesday said the data-wiping Trojan shares characteristics with financially motivated malware.

About 32,000 computers reportedly were infected with the malware, bringing down the networks of three broadcasters and two major banks in that country. Security researchers said the attacks do not appear to be sophisticated, nor the work of a nation-state. Korean officials were quick to point to North Korea as the source of the attacks and later looked toward China when researchers traced the attacks to a server in China, but most security firms dismissed those charges.

"It goes to show that if criminals want to wreak havoc and shut things down it is within their powers to do so," said George Tubin, senior security strategist at Boston-based malware detection and fraud prevention vendor Trusteer. "Whether it is financials or energy, there's a real battle that is happening in the background that the general public doesn't see, so when you see attacks like this that become public it's a sliver of a glimpse as to what is happening out there."

Rather than stealing information or remaining stealthy, this group decided to flex its muscle and shut down networks, an activity that nation-states are continually working on and even financially motivated cybercriminals attempt to do in certain industries, Tubin told CRN. There are many attack techniques and penetrated networks that haven't yet been discovered, he said.

Other security firms are busy analyzing the malware samples and techniques used to get a better picture of the cybercriminals behind the attacks.

"Obviously, the attacks were designed to be 'loud' [because] the victims are broadcasting companies and banks," according to researchers at Kaspersky Lab. "This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame."

Security firm Trend Micro said the routine used to target the master boot record of the infected computer systems mirrors that of ransomware used by scammers to hijack systems and demand money from victims. "At this point, there is no evidence that these attacks were coordinated or connected in any manner; the timing may have been purely coincidental or opportunistic," Trend Micro said in its analysis of the attack.

Jaime Blasco, a threat researcher at antimalware vendor AlienVault, said the attackers could have rented the botnet infrastructure tied to the GonDad exploit kit, an attack toolkit that has infected a number of South Korean websites. In his analysis of the attack, Blasco said the attackers could have rented the botnet to gain access "to hundreds of computers and try to find victims inside interesting targets."

Blasco found pieces of malware that could generate the file names identified with the attacks and those that match the behavior and patterns of the malware routines to malware tied to the GonDad exploit kit. While admitting that it is only a theory, he said it's possible to quietly infect a high number of victims and then later return to issue a command to wipe the systems and display a message. The GonDad kit is hosted on websites in nearly a hundred countries and recently added a Java exploit to infect victims.

"You should take into account that this is only a theory and it could even be a very small part of all the infrastructure they could have used," Blasco wrote.